Matt Cutts has published an article which highlights three different ways to secure your WordPress installation. The first tip involves locking down your Admin directory. Matt configures his .hatccess file so that only his IP address is allowed to access the WP-Admin directory. For the second tip, you should create a blank index.html file to place into your wp-content/plugins directory. Not doing so allows your plugin folder to be wide open, giving nosy people an idea as to what plugins you have installed.

Matt’s third and final tip involves subscribing to the official WordPress development blog – http://wordpress.org/development/feed/ As we should all know by now, this is the best way to stay up to date.

Matt also offers a bonus tip where he suggest removing the line of code within your header.php file that publishes your WordPress version.

All of these are excellent tips. But what do you do to secure your WordPress installation?

Besides the above tips, it’s always a good idea on a production server to disallow directory listings.

This can be done in the .htaccess file (for Apache) and when done correctly, you won’t need to put a blank index file in your wp-content/plugins directory to prevent someone from seeing what plugins are there.

Yeah, it is possible to use a .htaccess file and only allow your own IP to the admin directory. But you really limit yourself in that case. All of a sudden the only place you can do anything with your WordPress site is when you are at home. It is far from a perfect solution.

I’d say that the most important action you can take is to backup your blog automatically. No matter what goes wrong you can correct it in a matter of minutes.

Second: Keep up to date. I don’t know how many out of date WordPress installs I’ve seen. Many of them would be possible to take over in a matter of minutes.

Since people who use remote-server hosting (which is the primary way folks put up their own domain) generally do not have a dedicated IP, I have been considering ways some of the values IP-locking might be approximated or simulated for remote-host users. Since this arrangement is so prevalent, I have done some searching to see if others have already addressed it, but haven’t found much.

@GaMerZ #6 – Seconded.

With respect to foiling /wp-content/plugins/ access: my inexpert sense would be, many plugins would be unsuitable for malicious activity, and an exploiter would have an idea which specific plugin(s) were susceptible to abuse. Can, indeed, access be effected by *presuming* that a certain plugin title is present in the directory? Assuming this is the case, what might we do to ‘harden’ specific plugin subdirectories (which we suspect may be the vulnerable/attractive titles)?

Matt’s post was a nice roundup. It is funny that I did a post on WordPress security a week before. Strong passwords are essential, but take a look at the login lock down plugin. It locks people out after so many failed login attempts. This will help stop brute force attempts on the admin login. read more about hardening WordPress from the source at http://codex.wordpress.org/Hardening_WordPress

Just a piece of warning: Find out wether you have a dynamic IP before changing .htaccess to keep all others out.
It is pretty widespread in europe to have your IP change every 24 hours, so you might accidentally lock out yourself.

My cable modem tends to be pretty static and hasn’t given me a new IP since I pretty much signed up, despite several power outages. I also allow the gateway IP at work to get through, just in case. But for remote “roaming” access, I also check for a very lengthy, highly randomly generated cookie. The script that sets this cookie will only allow machines in a select list of IPs to access it, so access to setting this cookie is very limited. It kind of works like a poor man’s two-factor authentication. If I suspect that the cookie has been stolen and compromised, I can always SSH into the machine change the random token (after checking everything else, of course) and reset the cookie.

Thus, I can either get in without the cookie by accessing it from set IPs, or I can “brand” a laptop with the cookie and access it from anywhere. All of this occurs at the server level (via Apache mod_rewrite rules) before it even reaches WordPress, attackers never get to WordPress. It’s not perfect, but it’s stronger than the defaults.

Removing the version information from your header.php is security by obscurity.

There are a lot of other ways of determining the precise WordPress version you’re running (Available XML-RPC functions, certain HTML structures, …).

If you look at the exploits for older WordPress security vulnerabilities that are out there, thats exactly what they do.

So the best thing to do, is always keep your blog at the latest version and upgrade as soon as possible when a new release is made. Or for the more technical savy, implement the security patches manualy as soon as they become available in the WordPress code repository.

Bull dogs. And motion activated machine guns. Sadly, with the two security measures in place I start to run short on bull dogs … no idea why. They always like to run around the guns .. hmmm …

.htaccess is always good. Maybe just flat out renaming your admin folder would work, though you’d probably have to go around and do a few fixes in the core. All my directories are locked down so people can’t snoop around.

1. As others have mentioned, disable directory listing. This has many benefits, but ultimately is security-by-obscurity.
2. If possible, set up the administrative interface such that it can only be accessed over a secure (SSL/TSL) connection. For example, people could read your blog at http://blog.example.com/, but you would need to access https://blog.example.com/wp-admin/ to administer it, post, etc. This way, your password is never sent in the clear. This may require coordination with your host.
3. If this is not possible, look into SSH proxying to your host. Many web hosts offer both FTP and SSH access to users, and in most cases you can use SSH to “proxy” your admin connections, so as to keep your admin name/password secure. This is not trivial, but it isn’t terribly difficult to use PuTTY (for establishing the SSH connection on Windows) and QuickProxy (a plugin for Firefox enabling you to quickly switch between direct connections and the SSH-secured proxy connection) to make it work.
4. Keep your WordPress installation up to date. Yes, I know that some updates change some aspects of WP that we like, but keeping your WP installation secure is important.
5. Use a different password for your WordPress account than you do for your email or other services. Make it hard to guess.
6. Make sure you have a random SECRET_KEY in your wp-config file. WordPress provides service to generate a random SECRET_KEY here. This ensure that cookies and other stuff are randomized differently from other WP blogs, making it much more difficult for bad guys to attempt to break in.

Trackbacks/Pingbacks

[…] Matt Cutts Offers Tips To Secure WordPress – Matt has published an article which highlights three different ways to secure your WordPress installation. The first tip involves locking down your Admin directory. Matt configures his .hatccess file so that only his IP address is allowed to access the WP-Admin directory. For the second tip, you should create a blank index.html file to place into your wp-content/plugins directory. Not doing so allows your plugin folder to be wide open, giving nosy people an idea as to what plugins you have installed. […]